Crafty ZIP Archives Used to Deliver NanoCore RAT

Delaware, USA – November 7, 2019 – Adversaries have found another way to bypass secure email gateways and antimalware solutions using specially crafted ZIP archives. Researchers from Trustwave spotted an interesting spam campaign spreading NanoCore RAT, and an analysis of the attached file revealed a new method for hiding malicious files in archives, which, however, inefficient on particular systems. The archive supposedly contains a JPG file, the size of which is many times smaller than the archive itself, another part of the file contains the archived executable, pretended to be a pdf document. When a user runs “document”, the system becomes infected with the NanoCore trojan. Hiding of an additional file in the archive requires the use of two “End of Central Directory” (EOCD) entries, which usually mark the end of the archive. In this case, after the first EOCD, which identifies the archive with a harmless picture, there is another archive with its own EOCD. Such a tricky ZIP file cannot be fully analyzed by security solutions and a potential victim is likely to receive a malicious email, but not all archivers can extract the trojan from such a ‘sandwich’. Only old versions of 7-Zip, PowerArchiver, and WinRAR can extract malware from the second archive.

Despite the limited capabilities of this way to bypass the protection of organizations, millions of users worldwide use WinRAR, and threat actors quickly onboard new tricks to infect victims, as was the case with the patched critical vulnerability in WinRAR earlier this year. Only a few days passed between the publication of details about the vulnerability and the start of the APT campaign. Nanocore RAT is most often used in Business Email Compromise attacks, over the past few years these attacks have caused the most damage to the business, even ahead of ransomware attacks. Nanocore RAT activities can be detected using the rules available on Threat Detection Marketplace:
Nanocore Malware Detector (Sysmon Behavior Analysis) – https://tdm.socprime.com/tdm/info/U0tbIdHrUOeU/
NanoCore RAT (Sysmon) – https://tdm.socprime.com/tdm/info/0XCDttzG23kF/